The detection identifies potential webshell activity by monitoring for known command strings associated with Windows-based webshells, which are commonly used by adversaries to execute arbitrary code and maintain persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage webshell-based attacks before they lead to data exfiltration or lateral movement.
Detection Rule
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
- https://bad-jubies.github.io/RCE-NOW-WHAT/
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection_method:
cs-method: 'GET'
selection_keywords:
# The "%20" is URL encoded version of the space
# The "%2B" is URL encoded version of the "+"
- '=whoami'
- '=net%20user'
- '=net+user'
- '=net%2Buser'
- '=cmd%20/c%'
- '=cmd+/c+'
- '=cmd%2B/c%'
- '=cmd%20/r%'
- '=cmd+/r+'
- '=cmd%2B/r%'
- '=cmd%20/k%'
- '=cmd+/k+'
- '=cmd%2B/k%'
- '=powershell%'
- '=powershell+'
- '=tasklist%'
- '=tasklist+'
- '=wmic%'
- '=wmic+'
- '=ssh%'
- '=ssh+'
- '=python%'
- '=python+'
- '=python3%'
- '=python3+'
- '=ipconfig'
- '=wget%'
- '=wget+'
- '=curl%'
- '=curl+'
- '=certutil'
- '=copy%20%5C%5C'
- '=dsquery%'
- '=dsquery+'
- '=nltest%'
- '=nltest+'
condition: all of selection_*
falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
level: high
imWebSession
| where HttpRequestMethod =~ "GET" and ("=whoami" or "=net%20user" or "=net+user" or "=net%2Buser" or "=cmd%20/c%" or "=cmd+/c+" or "=cmd%2B/c%" or "=cmd%20/r%" or "=cmd+/r+" or "=cmd%2B/r%" or "=cmd%20/k%" or "=cmd+/k+" or "=cmd%2B/k%" or "=powershell%" or "=powershell+" or "=tasklist%" or "=tasklist+" or "=wmic%" or "=wmic+" or "=ssh%" or "=ssh+" or "=python%" or "=python+" or "=python3%" or "=python3+" or "=ipconfig" or "=wget%" or "=wget+" or "=curl%" or "=curl+" or "=certutil" or "=copy%20%5C%5C" or "=dsquery%" or "=dsquery+" or "=nltest%" or "=nltest+")Scenario: Legitimate PowerShell Script Execution
Description: A system administrator is running a legitimate PowerShell script that contains common webshell-like commands (e.g., Invoke-WebRequest, IEX) as part of a routine system update or configuration task.
Filter/Exclusion: Check for the presence of known administrative tools or scripts (e.g., Update-Module, Install-Module) or filter by process name like powershell.exe with a known source path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Scheduled Task with Webshell-Like Commands
Description: A scheduled task is configured to run a script that includes commands resembling webshell activity, such as cmd /c or powershell -Command, but is part of a legitimate automation process (e.g., deploying a web application).
Filter/Exclusion: Filter by the task name or description using the TaskName or TaskDescription fields. Exclude tasks that are known to be part of standard deployment or maintenance workflows.
Scenario: Admin Task Using certutil or bitsadmin
Description: An administrator is using certutil or bitsadmin to transfer files or manage certificates, which may include command-line arguments that resemble webshell strings.
Filter/Exclusion: Filter by command-line arguments that are known to be part of legitimate certutil or bitsadmin operations (e.g., certutil -addstore, bitsadmin /transfer).
Scenario: Web Server Configuration or Maintenance
Description: A web server administrator is configuring or maintaining a web server, which may involve executing commands like echo or copy that could be flagged by the rule.
Filter/Exclusion: Filter by process name